Red Hat EAP Security Update RHSA-2020-3637-01: Important Threats
red hat
September 7, 2020
An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6
Solution
Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.
For details about how to apply this update, which includes the changes
described in this advisory, see:
https://access.redhat.com/articles/11258
Summary
This release of Red Hat JBoss Enterprise Application Platform 7.2.9 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.8,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.2.9 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)
* jackson-databind: Lacks certain xbean-reflect/JNDI blocking
(CVE-2020-8840)
* jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)
* jackson-databind: mishandles the interaction between serialization
gadgets and typing which could result in remote command execution
(CVE-2020-10672)
* jackson-databind: mishandles the interaction between serialization
gadgets and typing which could result in remote command execution
(CVE-2020-10673)
* jackson-databind: Serialization gadgets in shaded-hikari-config
(CVE-2020-9546)
* undertow: EAP: field-name is not parsed in accordance to RFC7230
(CVE-2020-1710)
* wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to
permitting invalid characters in HTTP requests (CVE-2020-10687)
* jsf-impl: Mojarra: Path traversal via either the loc parameter or the con
parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
* resteasy-jaxrs: resteasy: Improper validation of response header in
MediaTypeHeaderDelegate.java class (CVE-2020-1695)
* wildfly-elytron: session fixation when using FORM authentication
(CVE-2020-10714)
* dom4j: XML External Entity vulnerability in default SAX parser
(CVE-2020-10683)
* wildfly: Improper authorization issue in WildFlySecurityManager when
using alternative protection domain (CVE-2020-1748)
* hibernate-validator: Improper input validation in the interpolation of
constraint error messages (CVE-2020-10693)
* hibernate-core: hibernate: SQL injection issue in Hibernate ORM
(CVE-2019-14900)
* wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API
(CVE-2020-10718)
• wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
(CVE-2020-10740)
* jboss-ejb-client: wildfly: EJB SessionOpenInvocations may not be removed
properly after a response is received causing Denial of Service
(CVE-2020-14307)
* jboss-ejb-client: wildfly: Some EJB transaction objects may get
accumulated causing Denial of Service (CVE-2020-14297)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, see the CVE page(s) listed in the
References section.
References
https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1710 https://access.redhat.com/security/cve/CVE-2020-1748 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-8840 https://access.redhat.com/security/cve/CVE-2020-9546 https://access.redhat.com/security/cve/CVE-2020-9547 https://access.redhat.com/security/cve/CVE-2020-9548 https://access.redhat.com/security/cve/CVE-2020-10672 https://access.redhat.com/security/cve/CVE-2020-10673 https://access.redhat.com/security/cve/CVE-2020-10683 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10718 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-14297 https://access.redhat.com/security/cve/CVE-2020-14307 https://access.redhat.com/security/updates/classification#important https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.2 Read the Full Advisory
Package List
Red Hat JBoss EAP 7.2 for RHEL 6 Server:
Source:
eap7-dom4j-2.1.3-1.redhat_00001.1.el6eap.src.rpm
eap7-elytron-web-1.2.5-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-glassfish-jsf-2.3.5-13.SP3_redhat_00011.1.el6eap.src.rpm
eap7-hal-console-3.0.23-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-jackson-databind-2.9.10.4-1.redhat_00001.1.el6eap.src.rpm
eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-jboss-jsf-api_2.3_spec-2.3.5-7.SP2_redhat_00005.1.el6eap.src.rpm
eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-jboss-modules-1.8.10-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-jboss-server-migration-1.3.1-13.Final_redhat_00014.1.el6eap.src.rpm
eap7-jboss-xnio-base-3.7.6-4.SP3_redhat_00001.1.el6eap.src.rpm
eap7-resteasy-3.6.1-10.SP9_redhat_00001.1.el6eap.src.rpm
eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el6eap.src.rpm
eap7-weld-core-3.0.6-4.Final_redhat_00004.1.el6eap.src.rpm
eap7-wildfly-7.2.9-4.GA_redhat_00003.1.el6eap.src.rpm
eap7-wildfly-elytron-1.6.8-1.Final_redhat_00001.1.el6eap.src.rpm
Read the Full Advisory
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2020:3637-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3637
Issue date: 2020-09-07
Topic
An update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7.2 for Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat JBoss EAP 7.2 for RHEL 6 Server - noarch
Bugs Fixed
1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM
1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser
1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
1785049 - CVE-2020-10687 Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests
1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230
1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371
1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages
1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain
1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking
1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!